How can I protect my Bitwarden account from brute-force attacks?
A: A brute-force attack is when a malicious actor cycles through a combination of weak and short passwords in an attempt to gain access to your account. Bitwarden offers a few ways you can protect yourself from these potential attacks:
Have a long and unique master password. Bitwarden requires a 12 character minimum to increase account security.
Set up 2FA on all Bitwarden accounts to add an additional layer of security.
Bitwarden will require CAPTCHA verification after 9 failed login attempts from an unknown device.
That’s right, now the limit on the number of login attempts is triggered on failed login attempts.
What should I specify for LOGIN_RATELIMIT_SECONDS and LOGIN_RATELIMIT_MAX_BURST so that after 10 failed login attempts, the next one will be in 5 minutes?
This is a great option. We hope it will be added soon. Thx.
If i’m correct from the top of my head that would be: LOGIN_RATELIMIT_SECONDS=300 LOGIN_RATELIMIT_MAX_BURST=10 And i set 10 here, but keep in mind that since you use 2FA, which causes the clients to call that endpoint a second time within those 5 minutes.
Also note, we do this for every attempt, not only failed logins, because someone could also try to use invalid logins or try multiple etc…
So, this does mean that if you login from the same IP on 5 different devices which all need to enter a 2FA within 5 minutes, that after that you can’t login anymore, and need to wait for 5 minutes to try again.
Does this work for the IP-account vaultwarden mapping?
For example: I have 50 users, they who log in from the same IP (NAT) in vaultwarden. User (email@example.com) entered 10 times wrong password. Will only firstname.lastname@example.org or all users get login restriction (5 minutes)?